Spring Security 将此字段值直接注入过滤器链,这是唯一使用它的方法

3z6pesqy  于 2023-06-06  发布在  Spring
关注(0)|答案(1)|浏览(184)

我正在更改代码,以便不使用已弃用的WebSecurityConfigurerAdapter。创造了一个属于自己的世界。当我运行应用程序时,它似乎工作正常。我必须在这里验证两件事。
1.有没有人认为这里需要更多的改变?
1.另一个问题是,当我做下面的更改时,它给了我两个字段的其他声纳问题- jwtAuthenticationEntryPoint和jwtRequestFilter。该问题指出“将该字段值直接注入过滤器链,这是使用该字段值的唯一方法”。我该怎么解决这个问题?

@Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class SecurityConfig {

 @Value("${SSL.ENABLE}")
 private boolean sslEnable;

 @Autowired
 private PasswordEncoder encoder;

 @Autowired
 private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;

 @Autowired
 private UserDetailsService jwtUserDetailsService;

 @Autowired
 private JwtRequestFilter jwtRequestFilter;

 @Autowired
 public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
     // configure AuthenticationManager so that it knows from where to load
     // user for matching credentials
     auth.userDetailsService(jwtUserDetailsService).passwordEncoder(encoder);
 }

 @Bean
 public AuthenticationManager authenticationManager(
         AuthenticationConfiguration authConfig) throws Exception {
     return authConfig.getAuthenticationManager();
 }

 @Bean
 public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {

     httpSecurity.csrf().disable()
             .authorizeRequests()
             .antMatchers("/authenticate").permitAll()
             .antMatchers("/user/updatePassword").permitAll()
            .anyRequest().authenticated()
             .and()                        .exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint).and().sessionManagement()
             .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

     if (sslEnable) {
         httpSecurity.requiresChannel().anyRequest().requiresSecure();
     }

     httpSecurity.addFilterBefore(jwtRequestFilter, UsernamePasswordAuthenticationFilter.class);
     return httpSecurity.build();
 }

}
我还在一些教程中读到他们也创建了一个DaoAuthenticationProvider的Bean。是否真的需要下面这样的东西?

@Bean
public DaoAuthenticationProvider authenticationProvider() {
    DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
    authProvider.setUserDetailsService(jwtUserDetailsService);
    authProvider.setPasswordEncoder(encoder);
    return authProvider;
}
lsmepo6l

lsmepo6l1#

下面的代码可以通过从Spring的applicationContext加载bean来替换,这不会在SonarQube中抛出这个问题。

@Autowired
 private JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;

 @Autowired
 private JwtRequestFilter jwtRequestFilter;

您可以注入applicationContext并加载类,并在可以使用jwtRequestFilter和jwtAuthenticationEntryPoint的地方直接使用该方法。

@Configuration
 @EnableWebSecurity
 @EnableGlobalMethodSecurity(prePostEnabled = true)
 public class SecurityConfig {
 
 
 @Autowired private ApplicationContext applicationContext;
    
    
    private JwtAuthenticationEntryPoint getAuthEntryPoint() {
        return applicationContext.getBean(JwtAuthenticationEntryPoint.class);
    }
    
    
    private JwtRequestFilter getRequestFilter() {
        return applicationContext.getBean(JwtRequestFilter);
    }
 
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity httpSecurity) throws Exception {
       httpSecurity.csrf().disable()
             .authorizeRequests()
             .antMatchers("/authenticate").permitAll()
             .antMatchers("/user/updatePassword").permitAll()
            .anyRequest().authenticated()
             .and()                        .exceptionHandling().authenticationEntryPoint(getAuthEntryPoint()).and().sessionManagement()
             .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

       if (sslEnable) {
         httpSecurity.requiresChannel().anyRequest().requiresSecure();
       }
 
      httpSecurity.addFilterBefore(getRequestFilter(), UsernamePasswordAuthenticationFilter.class);
      ..
      ..
     }
 }

相关问题